I was surprised at the extensive coverage of the Barclays Wealth change in customer identification techniques. Barclays have introduced passive voice identification, so the system identifies callers as they speak to an agent in natural language.  It is a challenging way of doing ID&V over a phone–line, but when it can be made to work it has huge security advantages over passwords and PINs. This is a pretty niche area, so for papers like the Daily Telegraph to cover the change, suggests that this is of wider interest than just security geeks and contact centre managers.

It’s long been predicted that the future of phone identification would move from a key entry approach to voice print systems.  For example, in Dec 2010 I offered my thoughts on the speech recognitsion trials at the Department of Work and Pensions and in Jan 2010 I was writing on the advantages of biometrics for pass word re-sets. Yet despite the perceived potential of speech recognition (and the PR and hype), somehow this future never seems to happen.

Despite trials of voice biometrics, UK banks have never really shown much appetite for deploying these systems. In my experience, this has been a mixture of very valid concerns (such as the ability of speech recognition to cope with UK regional accents and user acceptance) and the less valid. Strong regional accents can play havoc with speech recognition and are a real concern in the UK, as no manager wants to explain to their CEO headlines like “Brum deal: Birmingham Council's £11m automated phone system can't understand Brummie accent” and then add that they've spent a lot of money as well. Occasionally, though, I've seen less valid concerns have drive banks - voice biometrics requires co-operation between the IT, security and customer experience departments and for some banks that is just all been too hard. This is despite contact centre being as  critical a channel for customer experience as the web channel for many financial services companies.

The results of the Barclay's Wealth voiceprint investment seem good for customer experience (at least according to the Nuance info-graphic): 

• 84% of frequent callers enrolled within 5 months.
• 95% of enrolled callers successfully verified through speech.
• 93% of customers give Barclays a 9 out of 10 for satisfaction with the voice authentication.
• 5% reduction in call times

All in all a good project with good benefits, but I’m not sure it mentions what should be the main benefit.

The real benefit (as I see it) is that Barclays Wealth are authenticating “who you are”, not “what you know”. The problem with PINs, passwords and mother’s maiden names is that they are all tests of knowledge, and so vulnerable to identity theft. By comparison, a voice-print is much harder to falsify. It’s possible, if difficult, to do so with an active voice authentication approach (i.e. managing to voice record someone saying a password and then re-playing it), but a passive authentication approach is far harder to crack. Crucially, doing authentication during a conversation with an agent means there will be an inherently random element to the conversation, as well as a check that the customer actually is a human.

This passive approach to voice authentication is an elegant way of tackling one element of the threat of identity theft and impersonation.  It is not, though, the whole answer to the threat of fraud in contact centre and this type of approach needs to be supported by rigorous risk assessment and other security processes.

Identity theft and impersonation are only one of the major threats for the call centre. Other threats that should be taken very seriously include infiltration, especially when using off-shore centres (see my past post, "FSA determines offshore call centres a risk - finally!" ). It’s hard enough to vet, monitor and secure staff in your own jurisdiction, but trying to do it through a third party, in an unfamiliar legal environment is (to put it politely) substantially increasing your risk. Finally contact centres should not ignore the straight forward, IT based technical attack. Contact centres don’t just need secure data, but they also need secure voice and unified communications as well and to manage all of these in an integrated manner. In short,  voiceprints are a good answer to a specific threat but it doesn’t remove the dangers.

Disclosure: All views expressed in this post are mine alone and do not represent the views of my employer.